Web Services Must Report Data Breaches Under New EU Law

July 6 — Online companies that offer services in the European Union will have to comply with minimum data security and breach reporting requirements under a directive approved by the European Parliament July 6.

The EU Network and Information Security Directive (NIS Directive) will apply to online marketplaces such as eBay Inc., cloud computing services and search engines such as Alphabet Inc.’s Google, but not to social networks such as Facebook Inc.

The directive will create an obligation for online companies within its scope to adopt minimum cybersecurity safeguards, including “appropriate and proportionate technical and organizational measures,” such as putting in place incident management systems and complying with international standards on secure networks. Online companies will also be required to report incidents that have a “substantial impact” on the services they offer.

U.S. multinationals transacting business with EU users would be subject to the scope of the law.